How to Prevent Audit Trail Overflow

If your security policy requires that all audit data be saved, do the
following:

Set up a schedule to regularly archive audit files.

Archive
audit files by backing up the files to offline media. You can also move the
files to an archive file system.

If you are collecting text audit
logs with the syslog utility, archive the text logs. For
more information, see the logadm(1M) man
page.

Set up a schedule to delete the archived audit
files from the audit file system.

Save and store auxiliary information.

Archive information
that is necessary to interpret audit records along with the audit trail.

Keep records of which audit files have been archived.

Store the archived media appropriately.

Reduce the volume of audit data that you store by creating summary
files.

You can extract summary files from the audit trail by using
options to the auditreduce command. The summary files contain
only records for specified types of audit events. To extract summary files,
see Example 30–30 and Example 30–34.